Commit Graph

134 Commits

Author SHA1 Message Date
Marc-André Lureau
f65efddd1c udev: allow kvm group to access vhost-net device
/dev/vhost-net is a host accelerator for virtio net devices. It has been
long available and used, thus should be safe to all KVM users.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2021-01-13 13:12:26 +04:00
Marc-André Lureau
c78939d565 udev: allow kvm group to access vhost-vsock device
/dev/vhost-vsock allows to setup a guest CID and running
state (VHOST_VSOCK_SET_GUEST_CID, VHOST_VSOCK_SET_RUNNING)

All this should be legitimate and safe for KVM users.

Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2021-01-13 13:10:19 +04:00
Jörg Thalheim
d7aa78c32f meson: add option to skip installing to $sysconfdir
This is useful for development where overwriting files out side
the configured prefix will affect the host as well as stateless
systems such as NixOS that don't let packages install to /etc but handle
configuration on their own.

Alternative to https://github.com/systemd/systemd/pull/17501

tested with:

$ mkdir inst build && cd build
$ meson \
  -Dcreate-log-dirs=false \
  -Dsysvrcnd-path=$(realpath ../inst)/etc/rc.d \
  -Dsysvinit-path=$(realpath ../inst)/etc/init.d \
  -Drootprefix=$(realpath ../inst) \
  -Dinstall-sysconfdir=false \
  --prefix=$(realpath ../inst) ..
$ ninja install
2020-11-12 11:21:46 +01:00
Yu Watanabe
db9ecf0501 license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
Kairui Song
edb8c98446 pstore: don't enable crash_kexec_post_notifiers by default
commit f00c36641a enabled
crash_kexec_post_notifiers by default regardless of whether pstore
is enabled or not.

The original intention to enabled this option by default is that
it only affects kernel post-panic behavior, so should have no harm.
But this is not true if the user wants a reliable kdump.

crash_kexec_post_notifiers is known to cause problem with kdump,
and it's documented in kernel. It's not easy to fix the problem
because of how kdump works. Kdump expects the crashed kernel to
jump to an pre-loaded crash kernel, so doing any extra job before
the jump will increase the risk.

It depends on the user to choose between having a reliable kdump or
some other post-panic debug mechanic.

So it's better to keep this config untouched by default, or it may put
kdump at higher risk of failing silently. User should enable it by
uncommenting the config line manually if pstore is always needed.

Also add a inline comment inform user about the potential issue.

Thanks to Dave Young for finding out this issue.

Fixes #16661

Signed-off-by: Kairui Song <kasong@redhat.com>
2020-10-22 11:17:39 +02:00
Lennart Poettering
203c07c95b tmpfiles: don't complain if we can't enable pstore in containers 2020-05-25 16:43:35 +02:00
Eric DeVolder
f00c36641a pstore: introduce tmpfiles.d/systemd-pstore.conf
The systemd pstore service archives the contents of /sys/fs/pstore
upon boot so that there is room for a subsequent dump.  The issue is
that while the service is present, the kernel still needs to be
configured to write data into the pstore. The kernel has two
parameters, crash_kexec_post_notifiers and printk.always_kmsg_dump,
that control writes into pstore.

The crash_kexec_post_notifiers parameter enables the kernel to write
dmesg (including stack trace) into pstore upon a panic, and
printk.always_kmsg_dump parameter enables the kernel to write dmesg
upon a shutdown (shutdown, reboot, halt).

As it stands today, these parameters are not managed/manipulated by
the systemd pstore service, and are solely reliant upon the user [to
have the foresight] to set them on the kernel command line at boot, or
post boot via sysfs. Furthermore, the user would need to set these
parameters in a persistent fashion so that that they are enabled on
subsequent reboots.

This patch introduces the setting of these two kernel parameters via
the systemd tmpfiles technique.
2020-05-15 23:15:26 +02:00
Lennart Poettering
fb38a7beb8 tmpfiles: apply ACLs to top-level journal directory in /run, too
We already apply them to the directory in /var. Let's do the same in
/run too. That's because due to the log namespace logic we nowadays can
gain additional subdirs there during regular operation.
2020-01-31 15:04:12 +01:00
Lennart Poettering
0f5a4f9cd9 tmpfiles: merge lines for the same inodes 2020-01-31 15:04:08 +01:00
Topi Miettinen
07317d6e34
resolved, networkd: don't resolve the user if not root
If a daemon is not started as root, most likely it also can't create its
directory and let's not try to resolve the user in that case either.

Create /run/systemd/netif/lldp with tmpfiles.d like other netif directories.

This is also very helpful for preparing a RootImage for the daemons as NSS crud
is not needed.
2019-12-07 18:55:54 +02:00
Steve Traylen
7a72a95741 Corect man page reference in systemd-nologin.conf comments
The reference to the man page of `systemd-user-sessions.service`
in the comments of `tmpfiles.d/systemd-nologin.conf` is corrected.
2019-09-24 09:48:03 +02:00
Donald A. Cupp Jr
d34a58222d Update m4 for selective utmp support.
modified:   tmpfiles.d/systemd.conf.m4
2019-09-16 21:11:44 +02:00
Zbigniew Jędrzejewski-Szmek
1f9290fcc4 tmpfiles: override permissions of static nodes that need this
Fixes #13350.
2019-08-19 12:08:14 +02:00
Zbigniew Jędrzejewski-Szmek
9ba77b9949 tmpfiles: copy files to /etc only on boot
We'd copy /etc/nsswitch.conf, /etc/pam.d/, and /etc/issue (*) on every
tmpfiles --create run. I think we should only do this at boot, so if
people install systemd.rpm in a larger transaction and want to create those
files at a later step, we don't interfere with that.

(Stuff like /etc/os-release and /etc/mtab is not really configurable,
we might as was create it uncondtionally.)

(Seemingly, the alternative approach might be to not call
systemd-tmpfiles --create in systemd.rpm %post. But this wouldn't have much
effect, because various packages call it anyway, and our
%tmpfiles_create_package macro does too.  So we need to change the
configuration instead.)

(*) We don't provide /usr/share/factory/issue, so normally this fails, but
somebody else might provide that file, so it seems useful to keep the
C line.
2019-07-25 19:13:41 +02:00
Zbigniew Jędrzejewski-Szmek
09bef967d9 tmpfiles: stop creating /etc/localtime symlink
If the symlink is not present, UTC is the default. There *is* a slight
advantage to it: humans might expect it to be present and look in /etc.
But it might interfere with post-install scripts and it doesn't serve
any technical purpose. Let's not create it. Fixes #13183.
2019-07-25 19:12:02 +02:00
Lennart Poettering
062666c7c4 factory: add default /etc/issue file
Booting up an image with --volatile=yes otherwise looks so naked, so
let's include this file in the default factory too. It's common and
simple and should be safe to ship.
2019-07-24 08:57:23 +09:00
Krayushkin Konstantin
aae3c9a075 coredump: fixed bug - some coredump temp files could be lost
If the machine was suddenly shutted down (hard reboot for example) while
processing core dump, temp files created manually (not with a O_TEMPFILE flag)
stay in the system. After reboot systemd-coredump treat them as usual files, so
they wouldn't be rotated and shall pollute the filesystem.

Solution is to simply add those temp files to systemd-tmpfiles configs.
2019-05-31 12:57:35 +02:00
Xi Ruoyao
a45ef5070d tmpfiles: do not create /run/nologin if PAM is disabled
If systemd is not built with PAM support, systemd-user-sessions.service
won't be built.  On systems without PAM, /run/nologin is useless.  On
systems with PAM but systemd is not built with PAM, /run/nologin won't
be removed and all unprivileged users can't login.

So, we should not create /run/nologin if systemd is built without PAM.
2019-05-13 15:35:51 +02:00
Franck Bui
63f28cad3e tmpfiles: split tmp.conf out
tmp.conf was dealing with 2 different kind of paths: one dealing with general
temporary paths such as /var/tmp and /tmp and the other one dealing with
temporary directories owned by systemd.

If for example a user wants to adjust the age argument of the general paths
only, he had to overload the whole file which is cumbersome and error prone
since any future changes in tmp.conf shipped by systemd will be lost.

So this patch splits out tmp.conf so the systemd directories are dealt
separately in a dedicated conf file. It's named "systemd-tmp.conf" based on the
naming recommendation made in tmpfiles.d man page.

In practice it shouldn't cause any regression since it's very unlikely that
users override paths owned by systemd.
2019-04-13 12:07:03 +02:00
Yu Watanabe
5b5d826150 sysusers,tmpfiles: re-create systemd-network, systemd-resolve and systemd-timesync
This partially reverts d4e9e574ea,
0187368cad, and
4240cb02fd.
The services systemd-networkd, systemd-resolved, and systemd-timesyncd
enable DynamicUsers= and have bus interfaces. Unfortunately, these
has many problems now. Let us create the relevant users, at least,
tentatively.

Fixes #9503.
2018-07-16 17:11:50 +02:00
Yu Watanabe
400d846138 tmpfiles: specify access mode for /run/systemd/netif
This partially reverts 2af7677294.
As the directories are certainly readable and not-writable by
non-privileged users.
2018-06-25 10:32:13 +02:00
Yu Watanabe
2af7677294 tmpfile: do not specify mode and owner to /run/systemd/netif
Fixes #9369.
2018-06-22 12:00:52 +02:00
Zbigniew Jędrzejewski-Szmek
0cd41d4dff Drop my copyright headers
perl -i -0pe 's/\s*Copyright © .... Zbigniew Jędrzejewski.*?\n/\n/gms' man/*xml
git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/(#\n)?# +Copyright © [0-9, -]+ Zbigniew Jędrzejewski.*?\n//gms'
git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s*\/\*\*\*\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*?\s*\*\*\*\/\s*/\n\n/gms'
git grep -e 'Copyright.*Jędrzejewski' -l | xargs perl -i -0pe 's/\s+Copyright © [0-9, -]+ Zbigniew Jędrzejewski[^\n]*//gms'
2018-06-14 13:03:20 +02:00
Lennart Poettering
96b2fb93c5 tree-wide: beautify remaining copyright statements
Let's unify an beautify our remaining copyright statements, with a
unicode ©. This means our copyright statements are now always formatted
the same way. Yay.
2018-06-14 10:20:21 +02:00
Lennart Poettering
61d0578b07 add new portable service framework
This adds a small service "systemd-portabled" and a matching client
"portablectl", which implement the "portable service" concept.

The daemon implements the actual operations, is PolicyKit-enabled and is
activated on demand with exit-on-idle.

Both the daemon and the client are an optional build artifact, enabled
by default rhough.
2018-05-24 17:01:57 +02:00
Yu Watanabe
d4e9e574ea network: set DynamicUser= to systemd-networkd.service 2018-05-22 22:37:34 +09:00
Lennart Poettering
a78388e1cb tmpfiles: create /var/{lib,log,cache}/private during early boot
This directory is used by the DynamicUer= stuff when used in combination
with StateDirectory=/LogDirectory=/CacheDirectory=. Let's make sure the
dir exists early on with the right perms. This is not strictly necessary
as we'll also create the dir on demand if it is missing, but in the
interest of grabbing the name early on, and making things more explicit
let's also list this in a tmpfiles.d/ snippet.
2018-05-18 11:00:42 +09:00
Yu Watanabe
348b44372f meson: generate m4 preprocessor from config.h (#8914) 2018-05-07 11:17:35 +02:00
Lennart Poettering
32b8157f88 meson: install nspawn tmpfiles snippet only when machined is turned on 2018-04-17 19:51:43 +02:00
Zbigniew Jędrzejewski-Szmek
11a1589223 tree-wide: drop license boilerplate
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.

I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
2018-04-06 18:58:55 +02:00
Lennart Poettering
6e11e7e67d nologin: extend the /run/nologin descriptions a bit (#8244)
This is an attempt to improve #8228 a bit, by extending the /run/nologin
a bit, but still keeping it somewhat brief.

On purpose I used the vague wording "unprivileged user" rather than
"non-root user" so that pam_nologin can be updated to disable its
behaviour for members of the "wheel" group one day, and our messages
would still make sense.

See #8228.
2018-02-22 14:21:30 +01:00
Zbigniew Jędrzejewski-Szmek
3a726fcd08 Add license headers and SPDX identifiers to meson.build files
So far I avoided adding license headers to meson files, but they are pretty
big and important and should carry license headers like everything else.
I added my own copyright, even though other people modified those files too.
But this is mostly symbolic, so I hope that's OK.
2017-11-19 19:08:15 +01:00
Dimitri John Ledkov
e6b2d948f8 resolved: create private stub resolve file for /etc/resolv.conf integration (#7014)
This creates a second private resolve.conf file which lists the stub resolver
and the resolved acquired search domains.

This runtime file should be used as a symlink target for /etc/resolv.conf such
that non-nss based applications can resolve search domains.

Fixes: #7009
2017-10-24 15:28:41 +02:00
Frederic Crozat
4a1f92c704 tmpfiles: remove old ICE and X11 sockets at boot (#6979)
tmpfiles: remove old ICE and X11 sockets at boot

When not using tmpfs based /tmp, leftover sockets
might prevent X startup. Ensure directory is clean at boot time.
2017-10-06 01:28:19 +02:00
Lennart Poettering
f6e64b78cc tmpfiles: change btmp mode 0600 → 0660 (#6997)
As discussed in #6994.

Fixes: #6994
2017-10-04 21:44:29 +02:00
Zbigniew Jędrzejewski-Szmek
1ec57f3394 build-sys: s/ENABLE_RESOLVED/ENABLE_RESOLVE/
The configuration option was called -Dresolve, but the internal define
was …RESOLVED. This options governs more than just resolved itself, so
let's settle on the version without "d".
2017-10-04 12:09:51 +02:00
Zbigniew Jędrzejewski-Szmek
3211da4bcb build-sys: s/HAVE_UTMP/ENABLE_UTMP/
"Have" should be about the external environment and dependencies. Anything
which is a pure yes/no choice should be "enable".
2017-10-04 12:09:50 +02:00
Zbigniew Jędrzejewski-Szmek
349cc4a507 build-sys: use #if Y instead of #ifdef Y everywhere
The advantage is that is the name is mispellt, cpp will warn us.

$ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/"
$ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;'
$ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g'
$ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g'
+ manual changes to meson.build

squash! build-sys: use #if Y instead of #ifdef Y everywhere

v2:
- fix incorrect setting of HAVE_LIBIDN2
2017-10-04 12:09:29 +02:00
Lukáš Nykrýn
9c63ba988d tmpfiles.d/journal-nocow: fix typo (#6804) 2017-09-12 13:28:21 -03:00
Yu Watanabe
29444df23b tmpfiles: drop systemd-remote.conf
The directories are only used by the specific services, and
created before the services are started. So, it is not necessary
to create them by systemd-tmpfiles.
2017-08-08 12:17:07 +09:00
Zbigniew Jędrzejewski-Szmek
e5f752082e build-sys: drop gitignore patterns for in-tree builds
... and other autotools-generated files.
2017-07-18 10:05:06 -04:00
Zbigniew Jędrzejewski-Szmek
72cdb3e783 build-sys: drop automake support
v2:
- also mention m4
2017-07-18 10:04:44 -04:00
Michael Biebl
aff804febc tmpfiles: create /var/log/lastlog if it does not exist
Create /var/log/lastlog the same way we create utmp and wtmp.
This is useful for stateless systems where /var is volatile and a
missing /var/log/lastlog otherwise creates error messages like

Jun 27 20:00:00 huron sshd[1234]: lastlog_openseek: Couldn't stat /var/log/lastlog: No such file or directory

Fixes #6234
2017-06-29 08:01:37 +02:00
Yu Watanabe
525e9db3b3 meson: do not use path separator for target name (#6177)
Fixes #6158.
2017-06-22 21:27:07 -04:00
Franck Bui
f47183183c build: *really* install tmpfiles.d/systemd-remote.conf when necessary (#6061)
This fixes commit 5e354b2252 which was an attempt to avoid installation
of tmpfiles.d/systemd-remote.conf when it was not needed (ie HAVE_REMOTE=false).

Before this fix and with the autotool build, systemd-remote.conf was
distributed and also installed (although it was empty) even though
HAVE_REMOTE=false.

That's what happens when doing last second changes without retesting...

While at it, update tmpfiles.d/.gitignore (var.conf was missing as well
since commit a083537e5d).
2017-05-31 09:44:08 -04:00
Franck Bui
5e354b2252 build: only install tmpfiles.d/systemd-remote.conf when necessary (#6051)
Also only include the relevant parts for systemd-journal-remote and
systemd-journal-upload when needed.
2017-05-30 13:27:26 -04:00
codekipper
a083537e5d tmpfiles: Remove unnecessary utmp file creation (#6006)
If utmp is disabled (--disable-utmp) then there is no need to create
the wtmp and btmp files.
2017-05-24 11:10:59 +02:00
Zbigniew Jędrzejewski-Szmek
2c201c2140 meson: use booleans for conf.set and drop unecessary conditionals
Using conf.set() with a boolean argument does the right thing:
either #ifdef or #undef. This means that conf.set can be used unconditionally.

Previously I used '1' as the placeholder value, and that needs to be changed to
'true' for consistency (under meson 1 cannot be used in boolean context). All
checks need to be adjusted.
2017-05-02 16:29:11 -04:00
Zbigniew Jędrzejewski-Szmek
37efbbd821 meson: reindent all files with 8 spaces
The indentation for emacs'es meson-mode is added .dir-locals.

All files are reindented automatically, using the lasest meson-mode from git.
Indentation should now be fairly consistent.
2017-04-23 21:47:29 -04:00
Michael Biebl
e17e5ba9bf meson: use join_paths consistently
With -Dsplit-usr=true, we set rootprefix to /. This leads to //lib/systemd or
//lib/udev for various dir variables. Using join_paths() avoids this.
2017-04-23 21:47:28 -04:00